Report: NSA Harvests Contact Lists From Email, Facebook

The Washington Post has published new revelations about the National Security Agency's electronic snooping, indicating that the intelligence branch gathers millions of contact lists from personal email accounts and instant messaging around the world.

The new information is attributed by The Post to "senior intelligence officials and top-secret documents provided by former NSA contractor Edward Snowden."

"The collection program, which has not been disclosed before, intercepts e-mail address books and 'buddy lists' from instant messaging services as they move across global data links. Online services often transmit those contacts when a user logs on, composes a message, or synchronizes a computer or mobile device with information stored on remote servers.

"Rather than targeting individual users, the NSA is gathering contact lists in large numbers that amount to a sizable fraction of the world's e-mail and instant messaging accounts. Analysis of that data enables the agency to search for hidden connections and to map relationships within a much smaller universe of foreign intelligence targets."

According to the newspaper, in a single day last year the NSA harvested 444,743 email address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers.

The Post story quotes Yahoo as saying that in response to NSA efforts, the tech company would begin encrypting user connections using SSL technology in January.

However, last month, The Two-Way's Eyder Peralta wrote that The New York Times and The Guardian, relying on documents from Snowden, revealed that the NSA has the keys to crack most Internet encryption methods.

"In plain English, this means that many of the tools — like TLS, used by many banks and email providers — that people worldwide have come to believe protect them from snooping by criminals and governments are essentially worthless when it comes to the NSA."

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

Transcript

ROBERT SIEGEL, HOST:

There's more news from the NSA documents leaked by Edward Snowden. Yesterday, The Washington Post reported that the agency is gathering hundreds of millions of contact lists from personal email and instant messaging accounts. According to The Post report, the program collects more than a half million address books from Gmail, Yahoo, Facebook, every day. For more on this, we're joined by Barton Gellman. He's with The Century Foundation, on assignment to The Washington Post, one of the two reporters who worked on this. Welcome to the program once again.

BARTON GELLMAN: Thank you.

SIEGEL: And how does the collection program work?

GELLMAN: Well, the NSA could not collect all these address books and contact lists if it did it in the United States because this is a bulk collection program, not targeted at individuals. So it uses 18 access points overseas, which it negotiates, for example, with foreign telephone companies or Internet switching companies. But there are probably tens of millions of Americans whose contacts have been harvested this way because it's the structure of the Internet. If you sign on to Gmail from Kansas, you may be served by a server in Finland. The big, big companies have data centers all over the world and they distribute their loads and work around outages that way. I mean, the Internet does not respect international borders.

SIEGEL: The quantity of what the NSA would be getting this way is a little mind-boggling, but what is the quality of it? How useful is this information?

GELLMAN: Well, it's hard to know exactly but the NSA very much likes to draw maps and social graphs of contacts and networks. That is to say, who are you in communication with? Who do you associate with? Which networks of communicants overlaps? You can learn an enormous amount from this kind of metadata. The stuff they're harvesting also includes content because they're getting your online address book, your chat buddy list, if that's separate, and they don't always coincide. And, because they want to know who you're currently in contact with, they're collecting what they call the inboxes of Webmail accounts. So it's that list you first see when you log on on the messages you've got. That tells them people you're communicating with who may or may not be in your address book.

SIEGEL: In the Washington Post story, you quoted a senior U.S. intelligence official saying that despite mass collection, the privacy of Americans is protected here because - this is a quote -"we have checks and balances built into our tools." What's he talking about?

GELLMAN: Well, he's talking about the so-called minimization rules, which means there are rules about masking your identity. There are rules about circumstances under which they can look at your contact list, whether they can chain from it. Chaining is a tool they use that maps the contacts - who, you know, who are your contacts, who are their contacts, who are the third-order contacts. So they have rules limiting all this but they're not releasing the rules. And we've seen in other cases in which the rules are a little stricter, that they leave a lot of room for the NSA to look anyway.

SIEGEL: You've been working on this for months. And the distinction between data and metadata is routinely asserted by the NSA. That is, we're not surveilling your communications. We're surveilling the architecture of your communications. I don't know how they would say it. I'm curious what you make of this distinction. Do you find it - I mean, are you struck by how strong the distinction is after all these months, how weak it is? What would you say?

GELLMAN: Everyone from President Obama on down has said, don't worry about some of these programs like collecting all your telephone calls. They're only metadata. Now, what I've found is that metadata can be as revealing - sometimes even more revealing - than the so-called content.

So, for example, I would much rather someone listen to my phone calls for a month than to have them map who I've talked to, where I went, all my connections for a month, because I can control what I say on the phone. You get a much more revealing picture of people, for example, who are my confidential sources, or whether I'm negotiating to leave my employer and take a new job or a secret business deal, whether I'm having an extramarital affair, whether I'm seeing a psychiatrist. Anything that I might not want to broadcast to the world will be revealed quite clearly from metadata. So in a lot of ways, it's more intrusive.

SIEGEL: Barton Gellman is senior fellow at the Century Foundation. He's also writing for the Washington Post and has reported on the Snowden documents from the NSA. Thanks for talking with us.